Execute-Only Attacks against Execute-Only Defenses
Abstract
Execute-only defenses have been proposed as away of mitigating information leakage attacks that have been widely used to bypass randomization-based memory corruption defenses. A recent technique, Readactor, provides one of the strongest implementations of execute-only defenses: it exploits novel hardware features to incorporate non-readable code to prevent direct information leakage, a layer of indirection to prevent indirect information leakage of pointers located on stack and heap, and code randomization as well as decoys to prevent brute-force attacks. In this paper, we demonstrate three novel attacks that can bypass Readactor as well as numerous other recent memory corruption defenses with various impacts. We analyze the prevalence of opportunities for such attacks in popular code bases and build two proof-of-concept exploits. Moreover, we implement countermeasures against our attacks in Readactor itself and discuss their implications. Our evaluations indicate that our countermeasures introduce only a modest additional overhead.
Document Details
- Document Type
- Technical Report
- Publication Date
- Nov 13, 2015
- Accession Number
- AD1034499
Entities
People
- Ahmad-reza Sadeghi
- Andrea Homescu
- Christopher Liebchen
- David Bigelow
- Hamed Okhravi
- Lucas Davi
- Michael Franz
- Per Larsen
- Richard Skowyra
- Robert Rudd
- Stephen Crane
- Thomas Hobson
- Veer Dedhia
- William Streilein
Organizations
- MIT Lincoln Laboratory